The Return of the Worm That Ate the Pentagon

It’s back. The story of the worm that ate the Pentagon just won’t go away.

The attack of the Agent.btz worm, dubbed “the most serious breach of the U.S. military’s classified computer systems,” is getting another telling, this time in the Washington Post. The story adds new details about the intrusion — and reveals that some in the military wanted to use “offensive tools” to remove the malware on overseas and civilian networks. But the article still doesn’t uncover anything that justifies the hyperbole that the government has used for this breach since it was first uncovered.

Danger Room broke the story in November 2008 that the Army got spooked by Agent.btz after it was discovered crawling through the Secret Internet Protocol Router Network, which the Defense and State departments use to transmit classified material, noting at the time that the U.S. Strategic Command had suspended the use of USB drives as well as external hard drives and any other removable media as a result of the worm. The Post story adds that the Joint Worldwide Intelligence Communication System, which carries top-secret information to U.S. officials throughout the world, was also infected.

The Pentagon effort to disinfect systems took 14 months, in an operation dubbed “Buckshot Yankee,” a process that eventually led the armed forces to revamp its information defenses and create a new military unit, U.S. Cyber Command.

Then last year, Deputy Defense Secretary William Lynn upped the quotient when he wrote in Foreign Affairs magazine that the worm was a deliberate attack by a foreign intelligence agency who had placed the worm on a flash drive. Small problem: He didn’t present any evidence to back up his assertion that this was anything more than a run-of-the-mill malware infection.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” Lynn wrote. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

Lynn never said if information actually was siphoned from the systems, nor does the Post say that anything was taken. All the Post says is that once on systems, the worm began “beaconing” out to its creator – that is, phoning home in the way that all botnet malware does once it’s on an infected system to receive instructions about what to do next.

The Post says the beacons were first noticed by an analyst in the NSA’s Advanced Networks Operations (ANO) team, a group of young techies housed on the NSA campus, whose job is to hunt for suspicious activity on the government’s secure networks. They then reached out to Richard C. Schaeffer Jr., the NSA’s top computer systems protection officer at the time.

On the afternoon of Friday, Oct. 24, [Schaeffer Jr.] was in an agency briefing with President George W. Bush, who was making his last visit to the NSA before leaving office. An aide handed Schaeffer a note alerting him to the breach.

At 4:30 p.m., Schaeffer entered the office of Gen. Keith Alexander, the NSA director and a veteran military intelligence officer… “We’ve got a problem,” he said.

The “problem” began in October 2008 in Afghanistan where someone appeared to pick up the infection from a cybercafé and passed it to government systems on an infected thumb drive.

“We knew fairly confidently that the mechanism had been somebody going to a kiosk and doing something they shouldn’t have as opposed to somebody who had been able to get inside the network,” one former official told the Post.

The worm spread widely on military computers around the world, especially in Iraq and Afghanistan.

The article goes on to detail the process of neutralizing the malware on infected machines before cleaning out the code. Officials debated whether to use “offensive tools to neutralize the malware on non-military networks,” including infected machines in other countries. Senior officials nixed the idea “on the grounds that Agent.btz appeared to be an act of espionage, not an outright attack, and didn’t justify such an aggressive response.”

A few weeks later, the order went out banning the use of thumb drives, which generated a backlash among officers in the field, “many of whom relied on the drives to download combat imagery or share after-action reports.”

The NSA and the military investigated for months how the infection occurred. They retrieved thousands of thumb drives, many of which were infected. Much energy was spent trying to find “Patient Zero,” officials said. “It turned out to be too complicated.”

…The rate of new infections finally subsided in early 2009. Officials say no evidence emerged that Agent.btz succeeded in communicating with a master computer or in putting secret documents in enemy hands.

But that’s not the end of the story. The phantom “attack” on the Pentagon gave NSA Director Alexander the platform to press the case that the new Cyber Command should be able to use the NSA’s capabilities to obtain foreign intelligence to defend the military’s systems. It also renewed discussion among senior officials at the White House and key departments about how to best protect critical infrastructure networks that are in the hands of the private sector.

“Some officials argued that the military was better equipped than the Department of Homeland Security to respond to a major destructive attack on a power grid or other critical system, but others disagreed,” the Post writes.

It also raised questions about how aggressive military commanders could respond to perceived attacks on their computer systems.

“You have the right of self-defense, but you don’t know how far you can carry it and under what circumstances, and in what places,” recently retired vice chairman of the Joint Chief, James E. Cartwright Jr., told the paper. “So for a commander who’s out there in a very ambiguous world looking for guidance, if somebody attacks them, are they supposed to run? Can they respond?”